Why The Time Has Come For Penetration Testing On IBM i
November 2, 2015 Alex Woodie
Home Depot’s point of sale (POS) system was breached in 2014, comprising information on 53 million accounts. A year before, Target’s POS was breached, putting data from at least 40 million customers in jeopardy. In both cases, the retailers were deemed “compliant” with Payment Cardholder Initiative (PCI) data security standards. But obviously there’s a big difference between complying with security regulations and actually having good security, and that’s true whether your shop runs on IBM i or any other platform.
As cyber criminals get better at penetrating computer systems (and it’s worth reminding you that they are getting very, very good), it’s becoming increasingly clear that companies need to step up their game in the security department. After hackers had free reign in the PCI-compliant systems of Target, Home Depot, and other victims–often for months before anybody even noticed something was wrong–it prompted the folks behind the PCI standards to do something about it.
That “something” included mandatory annual penetration testing of critical systems, which was implemented as part of PCI DSS 3.0 in June 2015.
Penetration testing has been commonplace in the network security world for quite a while, where ethical hackers poke and prod firewalls and other outward-facing security components for any sign of weakness. The Internet is a wild and wily place, and without that effort, e-commerce would never have matured to the level it is at now.
However, as you drill in past the firewalls and intrusion prevention systems (IPS) and into the actual repositories of sensitive data, there hasn’t been nearly as big of an investment. The advent of “pen testing” on database platforms is an effort to showcase that soft underbelly.
“We realized that nobody is really offering that,” says John Vanderwall, HelpSystems’ vice president of business development for security services. “We had a customer approach us and ask us about doing that a while back, and we were able to create a penetration testing statement of work, and actually do the work.”
Last week HelpSystems announced a new penetrating testing service for IBM i. The new program was put together by Carol Woodbury, the former IBM OS/400 security architect who joined HelpSystems after it acquired Skyview, which she co-founded years ago with Vanderwall.
As Vanderwall explains, the new pen testing service involves conducting a risk assessment to identify potential security problems or misconfigurations in the client’s IBM i server, and then inserting a team of ethical hackers behind the company’s firewall to see if they can actually get the data.
“We’re literally signing on and using the information that we have from the risk assessment and trying to get access to the data,” he tells IT Jungle. “If we’re successful, we note that and document it to let people know. And if we’re not, we also let people know. Then follow it up with an executive summary.”
This hands-on approach can identify actual routes of entry into the system that may not be apparent by just conducting a risk assessment, says Jill Martin, HelpSystems vice president of services.
“We definitely try to enter and get at the system in many different ways,” she says. “When we do any kind of assessment of a system, you can identify what are perceived holes or vulnerabilities. But this takes the next step and actually proves whether those are true or not.”
There may be additional layers of security that are in effect that we may have not caught during the assessment, simply because every environment is different, she says. “The i is very securable, either through the operating system or a product you put on the system. But that doesn’t necessarily mean that everybody is taking advantage of what’s available to them.”
For example, an IBM i shop may be running an exit point security tool, such as PowerTech‘s Network Security software (PowerTech is another HelpSystems subsidiary). But that doesn’t necessarily mean that the exit point tool has been configured with the rules required to prevent unauthorized access to data. “And even if you have rules, it doesn’t mean that they’re actually blocking the appropriate kind of traffic,” Martin adds.
At the end of the day, there are many shades of gray in the security business, and the best way to determine the real-world condition of a company’s IBM i security posture is to emulate the bad guys.
“There’s a gap of understanding there between secure or securable,” says HelpSystems CEO Chris Heim. “It goes back to the fundamental belief that the platform is secure. It’s securable, but it’s not secure. It’s a fantastic platform, but you definitely have to do some work to lock it down.”
Because it uses the results of a security assessment as a sort of roadmap, the company characterizes its approach as “gray box” penetration testing, as opposed to “black box” testing, where hackers have no knowledge of how the box is configured and will use any and all approaches to crack it.
In terms of the skill level of the hackers that HelpSystems brings to bear, the service emulates the knowledge possessed by a typical IBM i system administrator who handles security issues and has access to critical data. You’re not getting somebody with “super hacker” or Woodbury-level IBM i security knowledge, but more of a run-of-the-mill abilities (think Napoleon Dynamite with SECADM).
“It’s somebody who knows their way around the IBM i,” Vanderwall says. “That’s the kind of thing that the pen testing exposes to the client. It lets them know that there is this sort of capability out there, and a person with a modicum of knowledge of the IBM i could get access to this data.”
Pen testing of perimeter security components like firewalls is far more robust, which simply reflects where companies have invested their time. The massive data breaches at Target, Home Depot, and other companies show that investments are needed deeper in the IT stack.
“Network penetration testing is a far more mature thing that’s been around for some time,” Vanderwall says. “I think the next level of going after the platforms and getting closer to the data to do penetration testing is a new thing we’re seeing with PCI requirements.”
For years, the IBM i platform has been a bit of a mystery to outside auditors, who tend to be more familiar with Windows, Linux, and Unix systems. That’s why the new requirements to conduct annual penetrating tests of servers that fall under the scope of PCI is likely to create some friction.
“This shines a bright spotlight, if you will, on the fact that data is really crown jewel of what’s out there, and people really need to protect that,” Vanderwall says. “The best way you can do that is to take not only the risk assessment but to go to the next level and prove that those risks are valid.”